Merge branch 'feat/eap_method_limit' into 'master'

feat(esp_wifi): Add support to limit EAP methods See merge request espressif/esp-idf!40198
2025-08-02 20:24:32 +02:00 · 2025-07-10 11:44:14 +05:30
parent e5f155229e 6c309b29e9
commit 76d24d2fe5
5 changed files with 125 additions and 11 deletions
--- a/components/wpa_supplicant/esp_supplicant/include/esp_eap_client.h
+++ b/components/wpa_supplicant/esp_supplicant/include/esp_eap_client.h
@@ -29,6 +29,18 @@ typedef enum {
    ESP_EAP_TTLS_PHASE2_CHAP        /**< CHAP (Challenge Handshake Authentication Protocol) */
 } esp_eap_ttls_phase2_types;

+/**
+ * @brief Bitmask of supported EAP authentication methods.
+ */
+typedef enum {
+    ESP_EAP_TYPE_NONE    = 0,        /*!< No EAP method defined */
+    ESP_EAP_TYPE_TLS     = (1 << 0), /*!< EAP-TLS method */
+    ESP_EAP_TYPE_TTLS    = (1 << 1), /*!< EAP-TTLS method */
+    ESP_EAP_TYPE_PEAP    = (1 << 2), /*!< EAP-PEAP method */
+    ESP_EAP_TYPE_FAST    = (1 << 3),  /*!< EAP-FAST method */
+    ESP_EAP_TYPE_ALL     = (ESP_EAP_TYPE_TLS | ESP_EAP_TYPE_TTLS | ESP_EAP_TYPE_PEAP | ESP_EAP_TYPE_FAST), /*!< All supported EAP methods */
+} esp_eap_method_t;
+
 /**
 * @brief Configuration settings for EAP-FAST
 *        (Extensible Authentication Protocol - Flexible Authentication via Secure Tunneling).
@@ -70,6 +82,8 @@ esp_err_t esp_wifi_sta_enterprise_enable(void);
 *
 * @note Disabling EAP authentication may cause the device to connect to the Wi-Fi
 * network using other available authentication methods, if configured using esp_wifi_set_config().
+ * @note Calling this will reset all eap configuration set using esp_eap_client_xxx APIs.
+ * Please call esp_eap_client_XXX APIs again to set new config after calling this function.
 *
 * @return
 *    - ESP_OK: EAP authentication disabled successfully.
@@ -344,6 +358,24 @@ void esp_wifi_set_okc_support(bool enable);
 */
 esp_err_t esp_eap_client_set_domain_name(const char *domain_name);

+/**
+ * @brief Set one or more EAP (Extensible Authentication Protocol) methods to be used by the EAP client.
+ *
+ * This API sets the allowed EAP authentication methods using a bitmask.
+ * Multiple methods can be specified by OR-ing together values from `esp_eap_method_t`.
+ *
+ * @param[in] methods Bitmask of EAP methods to enable.
+ *
+ * @return
+ *     - ESP_OK on success
+ *     - ESP_ERR_INVALID_ARG if none of the methods are valid
+ *
+ * @note
+ * If this API is not called, all supported EAP methods will be considered.
+ * If one or more methods are set using this API, only the specified methods will be considered.
+ */
+esp_err_t esp_eap_client_set_eap_methods(esp_eap_method_t methods);
+
 #ifdef __cplusplus
 }
 #endif
--- a/components/wpa_supplicant/esp_supplicant/src/esp_eap_client.c
+++ b/components/wpa_supplicant/esp_supplicant/src/esp_eap_client.c
@@ -839,6 +839,8 @@ static esp_err_t esp_client_enable_fn(void *arg)
    }
 #endif
    g_wpa_config_changed = true;
+    /* Enable opportunistic key caching support */
+    esp_wifi_set_okc_support(true);
    return ESP_OK;
 }

@@ -859,9 +861,6 @@ esp_err_t esp_wifi_sta_enterprise_enable(void)
    esp_err_t ret;
    struct wpa_sm *sm = &gWpaSm;

-    /* Enable opportunistic key caching support */
-    esp_wifi_set_okc_support(true);
-
    wpa2_api_lock();

    if (wpa2_is_enabled()) {
@@ -887,6 +886,58 @@ esp_err_t esp_wifi_sta_enterprise_enable(void)
    return ret;
 }

+static void eap_globals_reset(void)
+{
+    os_free(g_wpa_anonymous_identity);
+    g_wpa_anonymous_identity = NULL;
+    g_wpa_anonymous_identity_len = 0;
+
+    os_free(g_wpa_username);
+    g_wpa_username = NULL;
+    g_wpa_username_len = 0;
+
+    g_wpa_client_cert = NULL;
+    g_wpa_client_cert_len = 0;
+
+    g_wpa_private_key = NULL;
+    g_wpa_private_key_len = 0;
+
+    g_wpa_private_key_passwd = NULL;
+    g_wpa_private_key_passwd_len = 0;
+
+    g_wpa_ca_cert = NULL;
+    g_wpa_ca_cert_len = 0;
+
+    os_free(g_wpa_password);
+    g_wpa_password = NULL;
+    g_wpa_password_len = 0;
+
+    os_free(g_wpa_new_password);
+    g_wpa_new_password = NULL;
+    g_wpa_new_password_len = 0;
+
+    g_wpa_ttls_phase2_type = NULL;
+    os_free(g_wpa_phase1_options);
+    g_wpa_phase1_options = NULL;
+
+    os_free(g_wpa_pac_file);
+    g_wpa_pac_file = NULL;
+    g_wpa_pac_file_len = 0;
+
+    g_wpa_suiteb_certification = false;
+
+#ifdef CONFIG_MBEDTLS_CERTIFICATE_BUNDLE
+    g_wpa_default_cert_bundle = false;
+    esp_crt_bundle_attach_fn = NULL;
+#endif
+
+#ifndef CONFIG_TLS_INTERNAL_CLIENT
+    os_free(g_wpa_domain_match);
+    g_wpa_domain_match = NULL;
+#endif
+    g_eap_method_mask = ESP_EAP_TYPE_ALL;
+}
+
 static esp_err_t eap_client_disable_fn(void *param)
 {
    struct wpa_sm *sm = &gWpaSm;
@@ -897,6 +948,7 @@ static esp_err_t eap_client_disable_fn(void *param)
        eap_peer_sm_deinit();
    }

+    eap_globals_reset();
 #ifdef EAP_PEER_METHOD
    eap_peer_unregister_methods();
 #endif
@@ -915,6 +967,7 @@ esp_err_t esp_wifi_sta_enterprise_disable(void)

    if (wpa2_is_disabled()) {
        wpa_printf(MSG_INFO, "EAP: already disabled");
+        eap_globals_reset();
        wpa2_api_unlock();
        return ESP_OK;
    }
@@ -1294,3 +1347,14 @@ esp_err_t esp_eap_client_set_domain_name(const char *domain_name)
    return ESP_OK;
 #endif
 }
+
+esp_err_t esp_eap_client_set_eap_methods(esp_eap_method_t methods)
+{
+
+    if ((methods & ~ESP_EAP_TYPE_ALL) != 0) {
+        return ESP_ERR_INVALID_ARG;
+    }
+
+    g_eap_method_mask = methods;
+    return ESP_OK;
+}
--- a/components/wpa_supplicant/src/eap_peer/eap.c
+++ b/components/wpa_supplicant/src/eap_peer/eap.c
@@ -41,6 +41,7 @@
 #endif

 #include "supplicant_opt.h"
+#include "esp_eap_client.h"

 u8 *g_wpa_anonymous_identity;
 int g_wpa_anonymous_identity_len;
@@ -70,6 +71,7 @@ int (*esp_crt_bundle_attach_fn)(void *conf);
 #ifndef CONFIG_TLS_INTERNAL_CLIENT
 char *g_wpa_domain_match;
 #endif
+uint32_t g_eap_method_mask = ESP_EAP_TYPE_ALL;

 void eap_peer_config_deinit(struct eap_sm *sm);
 void eap_peer_blob_deinit(struct eap_sm *sm);
@@ -623,22 +625,30 @@ int eap_peer_config_init(

 		if (g_wpa_username) {
 			//set EAP-PEAP
-			config_methods[allowed_method_count].vendor = EAP_VENDOR_IETF;
-			config_methods[allowed_method_count++].method = EAP_TYPE_PEAP;
+			if (g_eap_method_mask & ESP_EAP_TYPE_PEAP) {
+				config_methods[allowed_method_count].vendor = EAP_VENDOR_IETF;
+				config_methods[allowed_method_count++].method = EAP_TYPE_PEAP;
+			}
 			//set EAP-TTLS
-			config_methods[allowed_method_count].vendor = EAP_VENDOR_IETF;
-			config_methods[allowed_method_count++].method = EAP_TYPE_TTLS;
+			if (g_eap_method_mask & ESP_EAP_TYPE_TTLS) {
+				config_methods[allowed_method_count].vendor = EAP_VENDOR_IETF;
+				config_methods[allowed_method_count++].method = EAP_TYPE_TTLS;
+			}
 		}
 		if (g_wpa_private_key) {
 			//set EAP-TLS
-			config_methods[allowed_method_count].vendor = EAP_VENDOR_IETF;
-			config_methods[allowed_method_count++].method = EAP_TYPE_TLS;
+			if (g_eap_method_mask & ESP_EAP_TYPE_TLS) {
+				config_methods[allowed_method_count].vendor = EAP_VENDOR_IETF;
+				config_methods[allowed_method_count++].method = EAP_TYPE_TLS;
+			}
 		}
 #ifdef EAP_FAST
 		if (g_wpa_pac_file) {
 			//set EAP-FAST
-			config_methods[allowed_method_count].vendor = EAP_VENDOR_IETF;
-			config_methods[allowed_method_count++].method = EAP_TYPE_FAST;
+			if (g_eap_method_mask & ESP_EAP_TYPE_FAST) {
+				config_methods[allowed_method_count].vendor = EAP_VENDOR_IETF;
+				config_methods[allowed_method_count++].method = EAP_TYPE_FAST;
+			}
 		}
 #endif
 		// Terminate the allowed method list
--- a/components/wpa_supplicant/src/eap_peer/eap.h
+++ b/components/wpa_supplicant/src/eap_peer/eap.h
@@ -52,6 +52,7 @@ extern int (*esp_crt_bundle_attach_fn)(void *conf);
 #ifndef CONFIG_TLS_INTERNAL_CLIENT
 extern char *g_wpa_domain_match;
 #endif
+extern uint32_t g_eap_method_mask;

 const u8 * eap_get_eapKeyData(struct eap_sm *sm, size_t *len);
 void eap_deinit_prev_method(struct eap_sm *sm, const char *txt);
--- a/examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c
+++ b/examples/wifi/wifi_enterprise/main/wifi_enterprise_main.c
@@ -96,6 +96,7 @@ static void event_handler(void* arg, esp_event_base_t event_base,

 static void initialise_wifi(void)
 {
+    esp_eap_method_t eap_methods = ESP_EAP_TYPE_ALL;
 #ifdef SERVER_CERT_VALIDATION_ENABLED
    unsigned int ca_pem_bytes = ca_pem_end - ca_pem_start;
 #endif /* SERVER_CERT_VALIDATION_ENABLED */
@@ -103,6 +104,7 @@ static void initialise_wifi(void)
 #ifdef CONFIG_EXAMPLE_EAP_METHOD_TLS
    unsigned int client_crt_bytes = client_crt_end - client_crt_start;
    unsigned int client_key_bytes = client_key_end - client_key_start;
+    eap_methods = ESP_EAP_TYPE_TLS;
 #endif /* CONFIG_EXAMPLE_EAP_METHOD_TLS */

    ESP_ERROR_CHECK(esp_netif_init());
@@ -148,7 +150,11 @@ static void initialise_wifi(void)

 #if defined CONFIG_EXAMPLE_EAP_METHOD_TTLS
    ESP_ERROR_CHECK(esp_eap_client_set_ttls_phase2_method(TTLS_PHASE2_METHOD) );
+    eap_methods = ESP_EAP_TYPE_TTLS;
 #endif /* CONFIG_EXAMPLE_EAP_METHOD_TTLS */
+#if defined (CONFIG_EXAMPLE_EAP_METHOD_PEAP)
+    eap_methods = ESP_EAP_TYPE_PEAP;
+#endif /* CONFIG_EXAMPLE_EAP_METHOD_PEAP */

 #if defined (CONFIG_EXAMPLE_WPA3_192BIT_ENTERPRISE)
    ESP_LOGI(TAG, "Enabling 192 bit certification");
@@ -160,6 +166,7 @@ static void initialise_wifi(void)
 #ifdef CONFIG_EXAMPLE_VALIDATE_SERVER_CERT_DOMAIN
    ESP_ERROR_CHECK(esp_eap_client_set_domain_name(EXAMPLE_SERVER_CERT_DOMAIN));
 #endif
+    ESP_ERROR_CHECK(esp_eap_client_set_eap_methods(eap_methods));
    ESP_ERROR_CHECK(esp_wifi_sta_enterprise_enable());
    ESP_ERROR_CHECK(esp_wifi_start());
 }